Security/Sandbox/2016-05-12
From MozillaWiki
« previous week | index | next week »
haik
- I've been trying to learn about the bugs we need to fix in order to restrict file system access
- Testing Nightly with no read/write to the $HOME to see what blows up, also testing with most of system.sb removed from ruleset
bobowen
- bug 1035125 - On Windows, plugin-container.exe is linked against the sandbox_s library twice - patches reviewed and some changes up in response to glandium's review. Reasonable chance of landing next week, now that the VS2015 problem looks like it is resolved.
- bug 1250125 - Make a 0 security.sandbox.content.level turn off the content process sandbox to allow Beta testing - patch up for review.
- bug 1189846 - Print Edit 15.10 - just need to respond to smaug's review.
- bug 1255336 - Printing results in empty page with print.always_print_silent=true - uplifted to Beta
- bug 1260413 - Page dimensions aren't passed to print preview when printing via the parent - looks like my change for bug 1255336 fixed this asked the reporter to retest.
- bug 1271348 - Matrix print full width - landed, uplift to Beta requested.
- bug 1271900 - Firefox prints with wrong size when either size is less than inch - landed, uplift to Beta requested.
tedd
- bug 1259508 - sys_clone violation - cubeb patch submitted, r? requested
- bug 1270147 - remote nsIOService::SpeculativeConnect - patch seems to have the r+, guess they are waiting for tests
- bug 742434 - enable seccomp on nightly - talked to gcp, seems like an easy patch in old-configure.in
- looking for ways to help reduce the seccomp whitelist, like file access etc.
gcp
- Linux Telemetry changes
- https://bugzilla.mozilla.org/show_bug.cgi?id=1098428
aklotz
- bug 1270018 - NS_APP_CONTENT_PROCESS_TEMP_DIR should only return the sandbox writeable temp - written, try looks ok, need to push to review
roundtable
- Looked at bug 1196384 - (sandbox-fs) [meta] Cross-platform blockers for default-deny filesystem policy for content processes
- Addons can use chrome: and resource: URL's -- can we whitelist files that each addon needs?
- file:// protocol - bug 922481
- Printing
- Any other reasons content would need to read/write within $HOME?
- Some addons try to read the configuration from the profile
- From last week
- bug 1269878 - TB is asking if we can move sandbox config to browser/. I told them to --disable-content-sandbox for the immediate term.
- bug 1269930 - Crash on windows when logging AEC data from about:webrtc - what should our policy be on file write access in the child for new things?